Information Technology and Ethics/The Privacy Chapter : Completed
Introduction to Privacy
[edit | edit source]Privacy, is assurance that the confidentiality of, and access to, certain information about an entity is protected.. In terms of information technology, this means protection of personal/sensitive information that is not accessible to anyone other than the individual self. There are various types of privacy in general. But the most relevant ones for this chapter are:
- Internet privacy - Privacy related to any activity being carried out online via internet.
- Informational privacy - privacy specifically related to an individual or companies information.
The content that follows is a synopsis of the subjects that will be explored in relation to privacy in information technology.
The first chapter will give an in-depth discussion of privacy rules and concepts. It will include privacy legislation and guiding principles, as well as how firms collect and use personal data, as well as consent and data retention standards.- Privacy Policies and Principles
The second chapter will focus on the influence of social networking sites on privacy. Social media has become embedded in daily life, but it also offers a variety of privacy risks. This section will look at how using social networking sites impacts privacy, including data collection, tracking, and measures to protect privacy while doing so.- Privacy and Social Networking Sites
The third chapter will concentrate on the Internet of Things (IoT) and its implications on privacy. As there are more connected electronics in our homes, workplaces, and even on our bodies, it has become increasingly difficult to maintain our privacy. This section will discuss the many privacy risks associated with IoT, as well as ways for mitigating them.- Privacy and The Internet of Things
The fourth chapter will go into privacy in healthcare. The healthcare industry deals with sensitive personal data, and privacy infractions can have major consequences. This section will discuss the importance of preserving individual patient health information as well as the legal frameworks that regulate patient privacy.- Privacy and HealthCare
The fifth chapter will go over data protection and how it affects privacy. Because of the expanding number of produced personal data, it is now critical to safeguard personal data from unauthorized access, use, or disclosure. This section discusses the multiple measures and legislation in place to ensure data protection and privacy.- Privacy and Data Protection
The sixth chapter will go over finance and how it affects privacy. Due to the importance of safety and security when dealing with money, it is extremely important to maintain privacy while interacting with finances. This section discusses the important laws and statistics regarding finances and privacy.- Privacy and Finance
The seventh chapter will look at children and their relationship with privacy. As technology develops, it becomes more and more accessible to children, so keeping children and their data private has had a greater emphasis placed on it recently. This section will dive into privacy concerns, laws, and the importance of privacy for children.- Privacy and Children
Privacy Policies Principles
[edit | edit source]What is a Privacy Policy?
A policy can be thought of as a rule set forth at an organization such as a company, municipality, or even University. These rules essentially are in place to govern the actions of employees, faculty, or students in keeping with a previously established code of conduct. Policy controls how its staff, teachers, or students behave in accordance with a moral code that has already been established. When referring to a Policy one can think of it as “...a statement imposed from the outside and must be obeyed to avoid incurring some kind of penalty…”[1]
A privacy policy is a series of guidelines created to safeguard both individuals' and an organization's privacy. These guidelines are frequently instructions on how to maintain privacy when utilizing a particular technology.[2]
What is a Privacy Principle?
Privacy principles are fundamental values or theories that define how an individual or organization views privacy. These principles help to shape and direct laws, policies, and practices that govern the handling of personal information. Privacy principles can include things like transparency, accountability, and consent, among others.
To ensure that a privacy policy is effective, it must be communicated clearly and in plain language that is easily understood by everyone. This is particularly important in settings like the workplace or higher education, where individuals may come from diverse backgrounds and have varying levels of education and familiarity with privacy issues. Using basic terminology and avoiding technical jargon can make policies more accessible and help to ensure that everyone understands their rights and obligations. Additionally, privacy policies should be concise, well-organized, and easy to navigate, so that individuals can quickly find the information they need and make informed decisions about their personal data.[2]
Appropriate Content for Policies and Principles
There are a few common aspects of all policies that make them effective, especially in a workplace or higher education environment. A policy should always be written in simple terms in order to best be understood by the most number of people, which also means clear language must be followed. The benefits to stakeholders or individuals affected by this are taken into account when forming a policy.
A policy should be well balanced in which it’s not too restrictive to individuals and not too free flowing and broad. It also has clearly defined and easy to understand steps, in this case steps to take in order to have privacy. And one of the most important aspects is that individuals affected by a policy are able to understand it in order to follow it to the best of their ability.
Government Privacy Principles
The government privacy principles vary depending on the country and its legal framework. However, in general, government privacy principles are intended to protect the personal information of citizens that is collected, used, and disclosed by government agencies.[3]
Here are some of the common principles:
- Collection Limitation: Personal information should be collected only for a specific purpose that is related to the government agency's functions or activities.
- Data Quality: Personal information should be accurate, complete, and up-to-date.
- Purpose Specification: The purpose for which the personal information is collected should be clearly stated and understood by the individual.
- Use Limitation: Personal information should only be used for the purpose for which it was collected, except with the consent of the individual or as required by law.
- Security Measures: To safeguard personal information from unauthorized access, disclosure, or abuse, government agencies should implement adequate security measures.
- Transparency: Government agencies should be transparent about their privacy rules and procedures, making them freely accessible to the public.
- Individual Participation: Individuals should have the ability to view and amend their personal information maintained by government entities.
- Accountability: Government agencies should be held accountable for adhering to privacy rules and regulations, and they should be able to demonstrate compliance to the public.
Below is the Privacy policy created by FTC in USA.
FTC
In 1998, the Federal Trade Commission in the US codified what already were basic principles of privacy long before the mainstream explosion of the internet. The report was called “Privacy Online: A Report to Congress”, and at the start with:
“Over the past quarter century, government agencies in the United States, Canada, and Europe have studied the man ner in which entities collect and use personal information-their "information practices"-and the safeguards required to assure those practices are fair and provide adequate privacy protection. The result has been a series of reports, guidelines, and model codes that represent widely-accepted principles concerning fair information practices.”[4]
In this report, the FTC set the groundwork for how it would be involved in enforcing privacy in the United States. With that it pointed out five principles of privacy protection, which include Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, and Enforcement/Redress.
Notice/Awareness
The concept of Notice means to know or be conscious of a certain action being taken. In terms of privacy on the web, users are put on notice to how websites view ownership, security practices, and terms of use (like the end user license agreement). Examples of this include splash pages for user to click through that explicitly say by clicking through the user accepts the terms of use. A common one is notifying the user that cookies are being used on the site to track their visit.
The privacy statement of a website will also include, in more codified language, a means of providing privacy notice to users. That FTC has deemed that some or all of the following points should be included in any privacy statement and to make sure the user is informed of what they are doing when given away personal information:
- Identification of the entity collecting the data
- identification of the uses to which the data will be put
- identification of any potential recipients of the data
- The nature of the data collected and the means by which it is collected if not obvious ( passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information)
- Whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information, and
- The steps taken by the data collector to ensure the confidentiality, integrity and quality of the date[4]
Choice/Consent
The main purpose of this principle is to give end users governance over the use of their own personal data. The FTC wanted to mainly focus on the secondary use of data, or “uses beyond those necessary to complete the contemplated transaction.” [4] There are two methods that have become commonplace to deal with Choice/consent, that is either opt-in or opt-out. Opt-in has the users explicitly allow certain use of their data. While opt-out has the user explicitly deny the use of their data. The difference between the two is the default option, opt-in users by default allow their data to be used, while opt-out by default deny’s the use of a user's data for things outside of the initial transaction.
Access/Participation
The third principle involves letting people know that a corporation has information about them and allow them to dispute the accuracy of the information. According to the FTC, “...access must encompass timely and inexpensive access to data…”[4] Meaning that the ability to submit changes needs to be quick and inexpensive to accomplish by the user. The mechanism for these changes must also be simple, have a way that the corporation can verify submitted information, and be able to disseminate the corrected information to all recipients of the data.
Integrity/Security
This principle ties in closely with the Access/Participation principle, with this one having the goal of making sure that date is accurate as well as secure. This principle puts the onus on the data collectors by making them take appropriate steps. Things such as providing consumers appropriate access to data, using data sources that are reputable, investigating where that data is coming from, and relevant technical measure to protect the data once it is in their hands. Some technical measures included by the FTC are:
- Use of encryption in the transmission and storage of data
- Limits on access through use of passwords
- Data is stored on secure servers or computers that are inaccessible by modem
Enforcement/Redress
The final privacy principle states that “...the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them.”[4] This essentially means that in order for any of these state privacy principles to be effective, proper mechanisms must be in place to enforce them. In the case of no enforcement or redress mechanisms, outside forces take precedent such as industry self-regulation, government legislation, and even regulatory schemes brought about through civil and criminal sanctions.
Privacy and Social Networking Sites
[edit | edit source]Introduction
[edit | edit source]Our personal information is more susceptible than ever in the era of social media. Privacy has grown to be a top issue for consumers as social networking services gain more and more traction. Although these websites provide users the opportunity to share private information with a big audience, they also put them at risk of identity theft, cyberbullying, and other online dangers. The subject of privacy on social networking sites has emerged as being crucial in this context. The purpose of this introduction is to discuss the difficulties users have in maintaining their users' privacy on social networking sites.
Social media alludes to websites and applications that are designed to allow people to share content quickly, efficiently and in real-time. It can also be said that social media are apps on smartphones or tablets, but the truth is, this communication platform started with the use of internet in computers. It started with just being part of groups, and went on to online chat rooms to fully functional websites and apps that people use to share videos, pictures and thoughts, marketing, dating as well as influencing others.
So then arises the question of what is the difference between social media and social network? Social media means the content that one posts online. It could be a blog, slideshow, podcast etc. Whereas social networking site is the medium via which a person can create relationships, communities, followers etc. Furthermore, one can also say that social networking is just a subset of social media.[5]
History
[edit | edit source]A look into the background can help widen the horizon for understanding how social media got so relevant in the first place. Backing up all the way to 1978, BBS was created which is Bulletin Board System accessible via dial up model and was used primarily for communities which had specific interests. Next came along CompuServe which became popular where people could share files, access new and other events. They could interact via email. AOL and Yahoo Groups in 1994 was the very first originator to social networking sites, where one could be part of communities and the members had a profile. Fast forwarding to 2002, where came Friendster, which encouraged people to bond with common interests. Also, in the same year, LinkedIn launched with an aim of career networking but did not gain much traction until 2010.[6]
In 2003, Myspace came into existence , where youngsters could see each other's activity as long as they were part of each other's networks. In 2004, came the biggest game changer and that is Facebook which connected people with their friends and a lot of other features that were enabled along with posting videos, pictures and content sharing among friends and also other people who could search you online. Then came in 2005, YouTube which was exclusively a video upload and sharing platform and still is the number 1. In 2006, Twitter came into existence which limited interactions in the form of comments and posting tweets. Instagram made its debut in 2010 with the focus of being the sole photo sharing/editing app and then came Snapchat in 2011 which allowed to share moments with friends.[7]
As one can see this is how social media started gaining momentum and with different websites/apps offering unique features on their platform it became essential for every youngster/general public to become a part of this to keep up with the times and stay connected to everyone as much possible. Social networking sites which are the most popular today are Facebook, Messenger ,Instagram, Snapchat ,Twitter, Whatsapp and TikTok.[8]
That being said, the advent of social networks brought on a host of various concerns and the biggest concern for social media is privacy. But for a long time, very few people were actually aware of privacy. In fact , since it was so new and the young generation as well as the older ones who got connected to a lot of acquaintance and new friends, they did not realize that their conversations in a lot of social network platforms could be viewed by other people as well. That is just the way the social network platform algorithms were built that allowed people outside of connections to view content and also follow/stalk other people including the activities of a person on that particular social networking site.
According to a 2014 survey, 91% of Americans “agree” or “strongly agree” that "people felt that they lost control over how personal information is collected and used by all kinds of institutions". 80% of social media users said they were uneasy about advertisers and organizations having a way to use the data that was posted on social media platforms and 64% were of the opinion that government should be more proactive on data handling, as this data was being used by marketers.[9]
Social networking sites continue to be a worry despite continued attempts to resolve privacy issues. A significant incident involving the political consulting firm Cambridge Analytica, which illegally stole data on millions of Facebook users, impacted Facebook in 2018. It is expected that new methods for defending user privacy and making sure their personal data is protected online will emerge as technology advances. Overall, social networking sites continue to play a big role in our lives, but privacy protection is still a top priority when using them.
Individual privacy as a concept
[edit | edit source]In an independent study, according to CPO magazine it was found that the privacy cannot be completely possible as friends always make it a likelihood of sharing the user's information to other people outside the network as well. There is also something known as a concept of choice of individual privacy that is completely dependent on an individual as to how much information they want to share with the world.[10] Looking at the above statement, an advocate of the individual privacy will say that one cannot completely obscure information from everybody. So, it is better to not put it online at all. Some who do not agree with it say that one should not expect privacy to be a big factor if they are sharing personal information on social media as they are doing it by choice and leave it to be viewed by friends and those who wish to see their information.
Privacy concerns
[edit | edit source]In today's digital environment, privacy concerns with regard to social media are a big problem. Here are a few instances:
Privacy Settings of Major Platforms
[edit | edit source]These settings are built in a way that if a user is not vigilant, they might end up sharing not only their personal data but also their activity unintentionally to companies and other third party who are always looking towards improving their own websites accessibility and marketing.
Location Stealing
[edit | edit source]Enabling GPS location of the user's taking the data from the cell phone, this "can be used to build up a picture of your everyday movements. Location data can be coupled with other data and aggregated to create a very specific picture of an individual’s life and habits".[11] This also encourages stalking and can also be used for nefarious purposes other than the invasion of privacy.
Identity Theft
[edit | edit source]Hacking can lead to stealing a user's identity and can also ruin a person's reputation and image in front of their friends and followers if wrong things are posted online and different kinds of malicious acts are committed from their accounts ,which include stealing credit card numbers, bank account numbers and login passwords.
Abuse
[edit | edit source]Creating fake profiles, trying to seduce younger teenagers and luring them out to physically abuse them or emotionally blackmail either them or the people that are known to each other can go on indefinitely until reported. Especially if intimate pictures/videos/audios are leaked online by the perpetrators.
Stalking
[edit | edit source]Not only the location can be tracked , if enabled on the phone by a potential stalker, they could be also keeping eyes on the target's move every time of the day. This helps the lurkers to actually judge and try to know the person based on their target's online activity and then maybe plan their own moves accordingly to harm their target or kidnap them or worse.
Cyberbullying and harassment
[edit | edit source]People can be bullied and harassed online, frequently in an anonymous manner, via social media platforms. This may adversely affect a person's mental health and general wellbeing.
Deepfake Technology
[edit | edit source]Deepfake technology allows for the creation of fake pictures and videos that may be used to disseminate propaganda and false information.
Data Collection and Tracking
[edit | edit source]Social media networks gather a ton of user information that is frequently utilized for marketing and advertising. Users may not be aware of how their data is being utilized, which raises privacy issues around this data collecting.
Third Parties Access to Data
[edit | edit source]Social media platforms may divulge user information to outside developers, marketers, and other businesses, raising questions about how that information is utilized.
Evolution of Privacy in Social Networking sites
[edit | edit source]In the upcoming paragraph taking a look at how Facebook and other companies took advantage of the non-existing privacy laws and why because of them new rules have been created.In a way they have definitely brought on change with the new times and also exposed the need to have stringent policies and laws in the first place.
This started first in 2006 [12] when there was a lot of noise regarding Facebook Newsfeed feature of the networking site and the concern that arose was that this endorsed stalking and also is an intrusion of privacy. The user had very little control over the information that they were sharing at the time, including changes in user's profile and other details related to them. This was resolved when Zuckerberg introduced privacy feature for the newsfeed and apologized for not taking into consideration the user's input when it came to privacy. Similarly, after three years and then consecutively since Facebook was the reigning social networking site at the time , they introduced a series of changes thus constantly targeting the privacy of users.
Some of the other major events include :
2007 to 2009 - Facebook launched 'Beacon' which let its users who shop at third party websites broadcast their purchases to their friends on it. Facebook receives this third-party information and shares it unless user opt-out during a brief pop-up window at the third-party site. This received a lot of backlash where some organizations like MoveOn.org demanded that Facebook allow explicit opt-out from sharing this information. Later on, they did modify the privacy features of Beacon, giving users limited opt-ins. By almost the end of 2008, Facebook launched 'Social Ads' which let "marketers create Facebook profiles and purchase advertising targeting other users profile information. Further, a user’s name and picture will be shown to their friends in promotion of a product after that user interacts with the marketer in some way”. European expert group issued a guidance on how the user's privacy should be maintained and the information related to them should be handled. “Topics included processing of sensitive data and images, advertising and direct marketing, and data retention".[12] Facebook announced changes in their user privacy settings but did not address the concern of user's data being shared with third-party via targeted advertisements. Canadian Privacy Commissioner also recommends that Facebook should improve on their privacy.[12]
2010 to 2012 - Twitter joined Gmail and Facebook to use "https" functionality by default for all users in order to secure data and protect privacy . Facebook timeline changed their user privacy setting again to "post archived user information, making old posts available under Facebook's current downgraded privacy settings".[12] It also came to light that DHS was using Facebook and Twitter for secret social network monitoring program. Maryland passed Bill that forbids employers from requesting Facebook information and California, Illinois followed suit as well. Myspace was caught engaging in deceptive practices and had to pay a settlement , since they were revealing personal information to third party despite promising to protect the same. Facebook also acquired Face.com which brought on a host of privacy concerns over biometric data of individuals.Towards the end of the year 2012,Facebook updated their privacy controls and removed profile safeguard from profiles. Instagram also released their changes around this time in terms of privacy policies which raised some more legal questions.[12]
2013 to 2015 - Snapchat was investigated as they were still accumulating PII despite claiming that users could delete their videos and pictures forever , WhatsApp were questioned and complaints were raised regarding Facebook acquisition of the same. Facebook starts tracking user across the web without consent after policy changes.[12]
2018 - Facebook Cambridge Analytica scandal made huge news. Cambridge Analytica breached into the personal data of millions of people's Facebook profiles without their consent and used it for political advertising Facebook got a lot of flak for this scandal and Facebook had to take their privacy policies into new consideration to keep their company afloat and retain their consumers.[13]
Laws regarding social networks
[edit | edit source]A lot of reforms have been done to address the privacy concerns including introducing laws to changing privacy policies of how social network platform should be maintaining to retain their customers. Below are the relevant laws related to social networking:
- Privacy Act of 1974 - "No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains" , it also depends on 12 exceptions.[14] This basically meant that companies at the time were not responsible for actually letting their consumers/any other agencies know that what kind of their personal information was being used until and unless there was a written request and or a written consent of the person, to disclose the same except under certain 12 conditions. Some of these included providing this information to government agencies , if requested via court orders, for the benefit of health or safety if deemed important for an individual , law enforcement agency, debt collector's office, for statistical research, Freedom of Information Act , to name a few. These exceptions in the later run did become points where companies like Facebook, Snapchat, Twitter could bypass and still use their user's profiles to target ads and sell their data to third party agencies as well as also become targets for stalking, abuse, social profiling and various other illegal acts.
- Employee and Student Privacy Protection Act - This holds back employers and educational institutions which have particular power over employees and students from making such demands. It allows employees and students to preserve the privacy of their personal online accounts. It was approved by Uniform Law Commission and is yet to be adopted by several state educational institutions as well as a few employers in the states where it has not yet been adopted.[15]
- GDPR - General data protection and regulation Act was introduced in April 2016 and adopted in May 2018. This Act forces companies to improve the protection of their users’ data and to make it easier to understand what kind of data is being collected and for what purposes. They can be fined up to 4% of their global revenue or 20 million euros which is a hefty fine. Also, since companies collect data from everyone globally and this is applicable to European Union citizens explicitly, companies get their privacy policies compliant to GDPR rules for everyone. This is a win for consumers as their personal data is liable to be protected, have more privacy and also be informed if their personal information has been involved in a data breach.[16] More details of GDPR can be found in the section of Privacy and Data Protection, in this chapter.
- CCPA - California Consumer Privacy Act went into effect on Jan 1, 2020. This was created to curb the companies to collect personal information like birthday, phone numbers ,email addresses and other data. Social media giants like Facebook, LinkedIn, Twitter, Instagram, Snapchat and others have to comply with this and accordingly update their privacy policies to keep their consumers especially in California, notify them on what information is being used and possibly allow to opt-out from sharing the same to third party networks.[17] More about CCPA is also mentioned in the section of Privacy and Data Protection, in this chapter.
- COPPA - The United States' Children's Online Privacy Protection Act (COPPA) governs the gathering of personal data from children under the age of 13. Before collecting data from minors, businesses must get approval from the parents.[18]
- LGPD - A Brazilian legislation called the Lei Geral de Proteço de Dados (LGPD) governs the gathering, exploitation, and processing of personal data. It offers people the right to access and delete their data and mandates that corporations acquire authorization before collecting or processing personal data.[19]
- PIPEDA - The Personal Information Protection and Electronic Documents Act (PIPEDA), a Canadian legislation, governs how personal information is collected, used, and disclosed in the private sector. It guarantees people the right to access and update their personal information and mandates that businesses acquire consent before collecting personal information.[20]
- HIPAA - The Health Insurance Portability and Accountability Act (HIPAA), a US statute, controls how personal health information is used and shared. Patients are given the right to access and manage their health information, and healthcare practitioners and organizations are required to put measures in place to preserve patient privacy.[21]
- ECPA - The US law known as the Electronic Communications Privacy Act (ECPA) governs the intercepting and sharing of electronic communications. Before accessing electronic communications, like as emails and text messages, government agents must acquire a warrant.[22]
- Privacy Shield - Personal data can be transferred from the European Union to the United States under the EU-US Privacy Shield agreement. It offers EU residents the ability to access and update their personal data and imposes rigorous data protection rules on US businesses.
How to stay aware
[edit | edit source]The following actions may be taken to maintain your privacy when using social networking sites:
- Read the privacy policies: Read and comprehend the privacy rules of the social networking sites you use in detail. Find out more about the handling, sharing, and collection of your personal data.
- Adjust your privacy settings: You can manage who may view your information and activities by adjusting the privacy settings on most social networking sites. To ensure that they haven't been altered without your awareness, check these settings frequently and adjust them to your comfort level.
- Use two-factor authentication: Two-factor authentication adds an extra layer of protection by requiring a different form of identification in addition to your password, such as a text message or authentication app.
- Take care with what you share: Before posting private information, images, or videos on social networking sites, give it some thought. Think about the audience for your postings and the potential applications of your data.
- Follow up on your accounts: Check your social networking accounts frequently for any illicit activity or updates to your information or settings.
- Stay up-to-date: Follow news and advancements around privacy and social networking sites to stay current. Consider reading reliable news sources and participating in privacy and security-related workshops or webinars.
Overall, maintaining an awareness of privacy issues and social networking sites calls for taking the initiative and making a commitment to consistently reviewing and modifying your settings and behavior.
Conclusion
[edit | edit source]In conclusion, since social networking sites first emerged, privacy has been a big worry. Despite the fact that these platforms have taken steps to allay these worries, including putting in place privacy measures and user permission requirements, there continue to be issues with data collecting, third-party access, cyberbullying, and deepfake technology. Many nations have put in place different rules and regulations to safeguard user privacy online in order to allay these worries. Users need to be aware of these privacy issues and take precautions to secure their personal information online as social networking sites continue to play a large role in our lives. In the next section, one can read about how privacy is impacted by Internet of Things.
Privacy and The Internet of Things
[edit | edit source]The term ''Internet-of-Things'' is used as an umbrella term for various aspects related to the physical extension of the Internet and the Web through the widespread deployment of spatially distributed devices with embedded identification, sensing, and/or actuation capabilities. The large scale of IoT systems and the high level of heterogeneity are likely to increase the security risks posed by the current Internet, which is being used to enable interactions between humans, machines, and robots in any combination.[23]
In this section, we will cover the Internet of Things and privacy problems related to IOT, as well as some of the most common concerns with appropriate examples. We will also discuss a scenario in which IoT became a security and privacy liability for users. As previously stated, this chapter focuses mostly on privacy issues with IoT, thus you may notice that we emphasize
Privacy in IoT Devices
[edit | edit source]An IoT system can be thought of as a group of intelligent devices working together to achieve a shared objective. Depending on their target, IoT installations may use different processing and communication architectures, technologies, and design techniques at the technological level. Because of their low computational capacity, traditional security countermeasures and privacy enforcement cannot be effectively applied to IoT technologies; also, the large number of networked devices poses scaling concerns. At the same time, valid security, privacy, and trust models suitable for IoT applications must be defined in order to achieve full user approval. Since devices may handle sensitive information, data protection and user personal information confidentiality must be guaranteed when it comes to privacy regulations.
Individuals' understanding and perception of information privacy differ, and its enforcement necessitates efforts from both government and technology. In an IoT system, data is typically collected by end devices, transferred through communication networks, evaluated by local/remote servers, and finally given to various applications.[24] As a result, confidential data must be safeguarded at all stages of the architecture stack. In this instance, implementing appropriate privacy design strategies based on the functions of the layers in the data lifecycle is crucial. Techniques implemented at a specific layer may become insufficient or redundant otherwise.[25]
Because of its close relationship with the actual world, IoT technology should be designed to be secure and privacy-preserving. This means that security should be seen as a critical system-level attribute and should be considered while designing architectures and procedures for IoT solutions. Privacy governs the conditions under which data pertaining to specific users may be accessed. The key reasons for privacy being a core IoT need are the envisioned IoT application domains and the technologies deployed. Healthcare applications are the most notable application field, with the adoption of IoT technology hampered by a lack of acceptable systems for preserving the privacy of personal and/or sensitive information. This is expected to be a critical prerequisite for securing user acceptability and widespread adoption of the technology. Without guarantees of system-level secrecy, authenticity, and privacy, it is unlikely that critical stakeholders will adopt IoT solutions on a significant scale.
The widespread use of wireless media for data exchange may raise new concerns about privacy violations. Because of their remote access capabilities, wireless channels raise the danger of violation, potentially exposing the system to eavesdropping and fraudulent attacks. As a result, privacy is a serious open problem that may stifle IoT development. The development of real ways for constructing privacy-preserving mechanisms for IoT applications continues to pose various challenges. The definition of a general model capable of representing all IoT essential items and their interactions would aid the development of concrete implementations. Furthermore, the implementations should contain enforcement mechanisms capable of dealing with the volume and dynamic nature of IoT scenarios. To meet these needs, systems that can enforce dynamic data stream access control should be offered.
Common Concerns Relating to IOT and Privacy
[edit | edit source]Collection of Private Data
[edit | edit source]The gathering and sharing of individual data without the user's consent is one of the greatest privacy issues with IoT. Numerous IoT devices gather enormous volumes of data, which may reveal sensitive information about a person's interests, lifestyle, and habits. Smart thermostats, door locks, and security cameras are examples of smart home appliances that monitor people's daily activities, sleeping patterns, and home entry and exit times.
Data Security
[edit | edit source]Another issue is that IoT devices collect and store sensitive data, which can lead to vulnerabilities and privacy risks. As an example, in the event that a smart home device is breached, a hacker might approach essentially everything in a smart home including smartphones, TVs, cameras, and other smart devices.
Lack of control
[edit | edit source]The absence of user control over their data is one of the most serious privacy concerns with IoT. Devices can gather and send data without the users' knowledge or capacity to regulate what data is collected or transferred. Smart home and fitness trackers, for example, collect data on users' everyday activities and transfer it to third-party firms without their knowledge or agreement.
Third-party sharing
[edit | edit source]The enormous measure of Data created by IoT devices is routinely shared to third parties without the user consent, raising serious privacy concerns and the risk of data breaches, identity theft, and other privacy violations. In 2019, for example, researchers revealed that Amazon's Ring doorbell, an IoT device, was sharing customers' personal information with third-party analytics organizations without their knowledge.
Demonstrations of IoT privacy Issues
[edit | edit source]Most consumers are aware of phishing emails and links that might infect their phones when they are activated, but few are concerned about their televisions. Since the CIA supplied their engineers with documentation in 2014 that includes an attack on Samsung F-series smart TVs, smart TVs have been demonstrated to be hackable. According to the CIA documents, the exact vulnerability requires a person to have access to the smart TV to connect to a USB drive and dump the information saved in the television, as well as download malicious programs that contain key-loggers, visual controls, and audio controls. The previously mentioned capabilities of malicious software can be utilized to successfully spy on individuals; after all, the television screen is the largest screen and camera view in most homes.
Years later, in Defcon27, an independent security researcher by the name of Pedro Cabrera showed how to hack a smart TV using a more sophisticated technique. Cabrera hijacked the TV network provider's signal with a drone equipped with an antenna and a laptop, causing the smart television to podcast whatever Cabrera desired. Cabrera claims that as long as the signal from his drone antenna is greater than the signal from the network provider, he can hijack the signal and gain access to the targeted smart television. Placing the drone near the TV, whether on the rooftop or near a window, is an easy approach to boost the signal from the drone antenna. As the drone gets closer to the target house the signal for the drone antenna increases.[26]
In addition, many users have become aware in recent years that most gadgets and organizations do not request passwords over the phone or email. However, because most people buy smart televisions for improved quality rather than advanced technological capabilities, they are unaware that televisions, like phones and computers, should be kept with care[27]. Another hack that tackles this issue was demonstrated in Defcon27 by Cabrera, who demonstrated how he can make a popup window appear on the TV asking the user to re-enter the WIFI credentials because the service provider has made an update. The fact that the feed stops and the user cannot continue watching unless they submit the information asked by the hacker make this popup window appear real.
Conclusion
[edit | edit source]It is important to keep up with adequate security and protection norms to guarantee the real expansion of IoT services. The Internet of Things (IoT) has various security and information assurance challenges. IoT device data gathering, data security, lack of user control, and third-party sharing issues pose severe threats to individuals' privacy rights. Policymakers, organizations, and buyers should resolve these issues to guarantee that IoT devices are made and utilized in a way that respects individuals' protection and autonomy. Only by carefully considering the privacy implications of IoT can we fully realize the transformational promise of this technology while protecting fundamental human rights.[28]
Privacy and Health Care
[edit | edit source]Three significant ideas are regularly utilized in the assurance of healthcare data inside the United States medicinal services framework: classification, protection, and security. However, every one of these ideas has an alternate vital significance and one-of-a-kind job. The most important part of health care records is privacy. Healthcare records contain detailed information about the patient’s medical history to his data.[29]
The protection and security of patients’ healthcare data is a top need for patients and their families, medical insurance companies, and experts. Government laws require a significant number of people and associations that can handle health care data and can also provide security, ensuring the privacy of patients’ health care data regardless of whether it is put away on paper or electronically.
In the USA, most now and again, “HIPAA” rings a bell when medical records security is concerned with “The Health Insurance Portability and Accountability Act of 1996”. It was passed as the internet was becoming a larger presence in everyday life. It sought to enable the transfer of medical records from paper to electronic data.[30] HIPAA is responsible for privacy, security, and breach notifications about healthcare data. The Privacy Rule gives rights regarding healthcare data, which was developed by the Department of Health and Human Services (HHS) to protect the confidentiality of personal health information. The HIPAA also allows patients to the constraint on how their healthcare data can be used, and the security rule offers patients the freedom to choose and know how their medical records must be kept secure with authoritative, specialized, and physical protections. The patients must consent in order to disclose personal health information through a contract. The patients may have extra insurance and medical records rights under their State’s laws. There are likewise federal laws that secure health care records. [31]
Why privacy in health care is important
[edit | edit source]Health care research and security assurances both give significant advantages to society. Medical research is crucial to improving human health and medicinal services. Protecting patients engaged with the study and saving their privileges is a fundamental moral duty. The necessary legitimation for securing individual privacy is to ensure the interests of people in providing their data for research. Patients must provide their medical data for further study; it can drastically speed up the research process and will be very beneficial to society. Simultaneously, clinical research can profit people; for instance, it encourages access to new treatments, improved diagnostics, and increasingly compelling approaches to forestall disease.[32]
Without medical privacy, patients may avoid needed healthcare and physicians may not enter important information into the patient's records. Medical records contain sensitive information about every individual that could be used to negatively affect a person’s life. This includes fertility, abortions, substance/physical abuse, STDs, etc. Access to such information can damage a person’s reputation which can permanently affect their lives. Our medical records also contain mundane content such as height, weight, or if any bones were ever broken. Physicians need access to our complete medical records to provide an accurate diagnosis. Without an accurate diagnosis, patients may pay for an expensive treatment that was unnecessary or be given the incorrect medicine for a disease.[33]
What includes in privacy
[edit | edit source]Securing data gathered with the consideration of the patient is a fundamental belief in social insurance. Protecting different structures is an essential key to trust. Enhanced privacy includes various angles, including personal space (physical security), individual information (enlightening protection), own decisions including social and strict affiliations (decisional protection), and personal associations with relatives and different lingerie (associational security).
Doctors must look to ensure privacy protection in all settings to the best degree conceivable and should:
- (a) Minimize outsider interruption in health care records.
- (b) Inform the patient if there has been a breach, which can affect the patient directly or indirectly.
- (c) Be careful that singular patients may have exceptional worries about security in any of these zones. [34]
Protecting health care information can be broken down into three concepts:
- Privacy: Protecting one’s privacy is essential and the patient has the right to keep their medical record confidential. [35]
- Confidentiality: Selective control of sharing personal health information to a care provider or guardian under an agreement that limits what information may be released. [33]
- Security: Policies and principles that help maintain the integrity and availability of information access.
Ways to Protect Health care information
[edit | edit source]- Ensure the system
As hackers have an assortment of techniques for breaking to medicinal services associations’ networks, health care IT divisions need to utilize a variety of devices to attempt to keep them out. In many cases, most firms spend a lot on edge security, for example, firewalls and antivirus programming, while specialists caution, they ought likewise to be embracing advancements that limit the harm when assaults do happen.
- Train staff individuals for security
Regardless of any ill will, the staff members are mostly involved in data breaches because of carelessness. Subsequently, all the IT security programs are dependable upon staff training, including Preparing on what does and doesn’t compromise a HIPAA infringement. Staff should be educated about phishing, social engineering, and different other attacks that target representatives, and also choose a very very very strong password.
- Secure remote systems
Most of the Medical institutions are progressively depending on the remote operating system for their offices. Yet, sadly, those remote systems regularly present security to many vulnerabilities. Information can be taken by hacking into those systems, for instance, mainly if the association depends on obsolete technology, for example, if medical institutions utilize the very “Wired Equivalent Privacy (WEP) security standard.” Hacking these systems will be a piece of cake for hackers.
- Erase pointless information
The more information that is held by an association the more there is for hackers to take. Medical institutions should remove the redundant data, which is, at this point, not required or useful. Moreover, it consumes more energy and resources to routinely review the data that is not useful, so the association realizes what’s there and can recognize what might be erased.
- Improve physical security controls
Even as electronic health records become progressively typical, the medical institution may keep a great deal of sensitive information on paper. Thus, suppliers must ensure entryways and file organizers are locked and secured, and cameras and other physical security controls are utilized. Moreover, associations should make sure about IT hardware by locking server rooms and using link locks or different gadgets to keep PC and workstations joined to office furniture.
- Incident Response plan
It is essential to get ready for the worst; there is very little probability that the associations can always forestall each conceivable IT security occurrence. That is the reason it’s essential to build up a game plan for when a break occurs.[36]
It is very clear from the above sections that most people want to protect their information; most of them want to live a very private life. Apart from it, there is a lot of data breach that happened in medical institutions, which leads patients to conceal compassionate information from doctors; as a consequence, they could not get a proper cure for their disease. So protecting health care information is not just about protecting the information from hackers. Keeping medical information secret encourages patients to provide detailed information about their medical condition. Protecting health information will also help patients to come forward and offer their medical records for further research, which can increase the standard of care in hospitals. By using the recommendation provided in this article, a lot of data breach attacks can be stopped from being successful. Patients want to provide their medical information, but due to a lack of privacy, they do not. If an exceptional level of privacy can be achieved in medical institutions, it can be very beneficial for the whole of humanity.
Privacy and Data Protection
[edit | edit source]In this section, we are discussing privacy and data protection. We will be focusing on a few laws and policies passed to protect a person’s privacy online, specifically concerning data protection. This is in response to the many technologies that have arisen with time. The issue with rapid advances in technology has caused many new avenues for nefarious people looking to obtain someone’s personal information. This has led to an increase in the need for data protection. In this specific section, we will discuss the background of Privacy and why it has changed. How did this lead to a need for data protection? What are the technologies that were developed for Data Protection? What laws and policies were passed for Data Protection? As mentioned before, this chapter focuses mainly on privacy and the issues concerning data protection. This is so you might understand that no matter how privacy has advanced in many forms in our society, there is a constant measure made to try and protect a person’s privacy and their personal information on the web.
How has Privacy evolved?
[edit | edit source]Privacy was created with a different mindset when the concept was first introduced in our society. It has always been considered a basic human right and has always encompassed many areas of a person’s life. The right to the privacy of the home, the privacy to your possessions, the privacy of your information. It is usually the government that has to protect and make sure that every citizen has a right to privacy in their lives. It can be quite difficult clarifying though, as many times documents concerning privacy and the subjects it protects are vague. In the US specifically, the Fourth and Fifth Amendments are used as the main source for determining what violates a person’s privacy today. This is because the right to privacy is not explicitly clarified in the Constitution, there is a lack of documentation at times to help clarify privacy and this has led to many having to look at whatever documentation they could and deciding if that is considered part of a person’s privacy. As well as protected by the government as well. As stated by Senator D. Brent Waltz “Even the most casual student of American Constitutional scholarship will note that the notion of “privacy” as a distinct legal construct is lacking in our founding documents.”(Waltz, 2014,p. 205). With the advancement of technology and the “Internet of Things,” privacy has become a big topic when dealing with matters of information online.[37]
What is Data Protection?
[edit | edit source]Data protection can be described simply as measures or technologies used to make sure that a person’s data or information is protected. Specifically, it aims to protect 3 aspects of data that can be clarified more by what is known as the C.I.A triad.
C.I.A Triad
[edit | edit source]The C.I.A Triad has nothing to do with the CIA, but is a model for organizations to look at certain aspects of information. It helps organizations by making sure several aspects are covered. By managing these aspects well, they can create reliable cybersecurity policies and procedures to protect that information and allow for proper data protection. CIA stands for Confidentiality, Integrity, and Availability, and these aspects allow for proper data protection.
Confidentiality
[edit | edit source]Data protection tries to protect the confidentiality of your information. It is the process of limiting access to information and data. It basically means that the information provided can only be seen by certain people, and making sure anyone unauthorized can not view or access the information. It is related to privacy, as it answers the question of who will use the data. People don't want their data to be seen or accessed by everyone. It can lead to damage to their assets or privacy. To achieve confidentiality of information, organizations use policies that educate employees on what they can view or not and tools such as data storage and cryptography to add security to the information. Examples of Confidentiality being breached are data dumps or disclosures of personal information on the internet.
Integrity
[edit | edit source]The next aspect of information in the C.I.A triad is Integrity. It is the process of protecting data to make sure that it stays unchanged and in the original condition that it was received. That means the information must not have been edited, modified, or deleted in any way unless authorized. The integrity of information can be at risk anytime it is being acquired, stored, or exchanged. This can be because of attacks from malware and viruses such as worms, trojans, logic bombs, or boot viruses. It also can be caused by buggy software or noise when transmitting data. To achieve integrity and maintain it, checksums and error-correcting are used to verify if bits or hashes were changed, and see if the integrity of the information was lost.
Availability
[edit | edit source]The last aspect of Information in the triad is Availability. This means that access to the information is always ready to be given to those that are authorized. To explain it, it is like a building with a keycard reader on the door. When you scan your card, you expect to be able to enter the building and use the resources inside. If the reader reads your card, but the door glitches and doesn’t open, you are denied Availability. This applies to information and data as well.[38]
ESG Data Protection Family Tree
[edit | edit source]Now how does Data Protection accomplish the aspects stated above? Well, Data Protection covers this by many activities. [39]
E-Discovery and Compliance:
[edit | edit source]It is the gathering of knowledge and information in electronic forms. It is the process of locating, extracting, analyzing, and reviewing digital data such as images, files, emails, network traffic, and more. It helps to draw a picture or, allow for there guidelines for people in the field of E-Discovery that are tasked with locating essential information.
Archiving:
[edit | edit source]Archiving is the process of securing information, especially inactive information for an unknown amount of time or a tremendous amount of time. the information can be brought out anytime and can be referenced but it is mostly not usable currently but still should be protected.
Backups:
[edit | edit source]Backups are creating copies of the information. Basically creating a secure copy of them so that if the original data is tampered with or corrupted, that you can use the backup copy to restore the original data.
Snapshots:
[edit | edit source]Snapshots are the process of recording the state of a machine at a specific time. Usually for storage devices, taking a snapshot is a good way to create a copy of data and information, similar to backups. Data and Information can be restored to that specific time of the snapshot.[40]
Replication:
[edit | edit source]Replication is a very costly part of data protection that is quite necessary for the disaster recovery process. Involves replicating and duplicating the data and then move it to an offsite location so that it is protected. This is more so for organizations to recover after attacks, natural disasters, and other incidents of great damage or harm to the data and information under them.[41]
Availability:
[edit | edit source]Availability is making sure that the data and information are accessible at times to whoever has access to it. To make sure it is not completely restricted and unattended to or unsupervised.
Disaster Recovery:
[edit | edit source]Disaster Recovery is the process of an organization making sure to recover from disasters and look at the state of their data. Basically seeing what might have lost Confidentiality, Integrity, and Availability. This involves using the tools and processes above and also trying to find what caused the disaster and how to plan for it in the future so that they would be able to recover more effectively if it ever happens again.[42]
Business Continuity:
[edit | edit source]Business Continuity is the process of creating systems and tools to help with the recovery process and deal with threats in the future. Basically planning ahead, to secure themselves, and make sure that threats can be taken care of or avoided again.
General Data Protection Regulation (European Union)
[edit | edit source]Yet there is more to ensure data protection than just tools and processes. There are many regulations, laws, and policies as well to help and ensure proper data protection. One of these regulations that are considered to be strongly accepted by many is the GDPR. Since 1995, Europe's data privacy has been regulated under the Directive 95/46/EC of the European Parliament along with the Council of 24 October 1995.[43] The regulations would be on the protection of individuals with concern to the treatment of the data, 1995 O.J. (I. 281) (Directive).[43] These regulations were viewed to be ineffective due to the rapid evolution of technology, they want to offer better protection and rights to EU citizens, and unification of data protection laws. This resulted in the creation of the “General Data Protection Regulation”(GDPR), which its final text was approved of in 2016.[43] The GDPR came into implementation on May 25, 2018.
The GDPR's main goal is to hold companies more accountable to user’s data and strengthen the control of users on their personal data. It does this by having provisions that require a business to safeguard the personal data and privacy of EU citizens for every transaction that transpires within the EU. Exportation of personal data outside of the EU is also regulated by the GDPR.[44]This legislation would force companies to have separated consent forms for the different types of data they collect along with the feasibility to retract consent. It would also prevent companies from the collection of data for children under 16 without a person that holds “parental responsibility”.[45]Companies that have had their databases breach would have to release a notice to those affected within 72 hours.[45] It will also give the consumer the ability to wipe out all data that has been collected on them by companies. Types of data that is protected by GDPR are basic identity information, web data, health and genetic data, biometric data, racial or ethnic data, political opinions, and sexual orientation.[44] The GDPR defines roles within a company for who is responsible for ensuring compliance with the GDPR’s regulations. These would be the data controller, data processor, and the data protection officer (DPO).[44] Any company that violates the rules of the GDPR would be subjected to a fine of up to 4 percent of annual global turnover or 20 million euros, whichever is larger.[45]
GDPR Principles to process data ethically
[edit | edit source]The GDPR states the principles in Articles (5-11) on how all the personal data should be processed.[46] Data controllers are expected to process personal data in an ethical manner. The six principles that account for ethical data processing are:
- Lawful, Fair and Transparent: Personal information of the data subject should be processed ethically, fairly and in a transparent manner. When in relation to the data subject, All the processes should be justifiable to the law.
- Purpose Limitation: The processes involving personal data should only be limited to the original purpose for which it was collected from the data subject.
- Data Minimisation: When collecting data, data controllers must ensure that only relevant information is collected in relation to the purposes.
- Accuracy: Personal data of data subjects must be accurate and kept up to date. Inaccurate or outdated data should be deleted.
- Storage limitation: The personal data collected must retain only when necessary. The data must be deleted when it is no longer needed for any legitimate purpose
- Integrity and confidentiality: Company must take technical measures that ensure the protection of personal data that include unauthorized access or unethical processing and against accidental loss.[47]
Privacy policies
[edit | edit source]Organizations should practice good ethics by following GDPR guidelines. According to Northwestern, A person’s name, email, phone, address, and SSN all count as being a user’s personal data as it identifies the user, “in practice, these also include all data which are or can be assigned to a person in any kind of way”.[48] Since these data entries are considered personal, the policies that govern them must use these data entries to a very limited extent. Ethical organizations should be protecting this information and only gathering the necessary information.
For the processor, the data must be limited to the extent required by the controller, and then must swiftly be deleted to ensure that the user’s information can not be used for other purposes except what is required. For the controller, the information provided by the processor must be categorized for deletion based on the conclusion that was resolved from the issue. For instance, within Oracle’s privacy policy is a statement reading, “engage in transactions with our customers, suppliers and business partners, and to process purchases of our products and services, will be retained for the duration of the transaction or services period”.[49] Failure to follow these guidelines is not only unethical but can lead to penalties.
US Privacy Law
[edit | edit source]In the US laws related to data protection are quite diverse. They have defined laws related to a different sector and medium-specific data security laws, for example, they have different laws and regulation are applied to financial companies, telecom department, health care, credit report, children's information gathering, etc. Moreover, every 50 states in the United States have their own laws and regulation which an organization has to abide. So, if anyone is trying to set up an organization they first have to regulate with the federal (if the bill is passed by the Congress)and then the state laws.[50]
As the US doesn’t have a Federal law specifically for the data protection or data breach all the 50 states came together and created rules and regulations. The state laws mostly focus on protecting data, proper privacy policies are created by the organization, how and what are the steps that are taken in securing and safeguarding SSN and driver’s license number, and the timeline for notifying about the data breach. Now, if we talk about the privacy laws California tops the chart it alone has more than 25 state laws that are related to data privacy/protection. Recently the state has introduced a new law California Consumer Privacy Act of 2018 (CCPA) which will be effective from January 1, 2020. On March 21st, 2018, South Dakota has signed a new law that is implied to an organization that are conducting business in the state. Considering the factor of having the most strict laws related to the financial sector New York tops the chart.[51][52]
Though the US privacy laws are very complex and difficult to understand, it’s very important to understand them and abide by the rules and regulations. Not only the state the Attorney General of the state or Federal Trade Commission has the right to take action against the organization too. They have set up rules and regulations too.
Privacy and Finance
[edit | edit source]Privacy for digital transactions is becoming increasingly important. Data breaches are now an inevitable part of our digital lives, but unlike other global events, many financial institutions collect information about their customers as a regular part of their business of providing products or services. For example, when you apply for a loan, you provide your name, phone number, address, income, and details about your assets. As the institution considers your application, it may collect additional details from other sources, such as credit reports prepared by credit bureaus. Even when you use a financial product-a credit card, for example-your institution will have a record of how much you buy and borrow, where you like to shop, and whether you repay your balance on time. Besides leading to more unwanted junk mail and telemarketer calls and credit card cramming, privacy invasions and information sharing could lead to denial of insurance or loans. Privacy invasions also lead to expensive rip-offs, identity theft and stalking.[53]
Privacy and Finance Risk Factors
[edit | edit source]Stolen Credentials
[edit | edit source]When addressing privacy in finance there are some important risk factors to look at. These are areas of privacy in finance that can be more susceptible to attack or breach compared to other areas. One of these areas is private credentials. These credentials are used to access financial information like bank statements or accounts. According to a Ponemon study from 2021, the compromising of those details accounted for 20% of breaches.[54] This is such a big factor since once those credentials are obtained, it is hard for a security system too identify them as being false or misused. So, keeping those credentials private can help maintain privacy for finances and financial institutions.
Legal Compliance
[edit | edit source]Another important area of risk to look at in finances is compliance with local, state, and/or federal law. Oftentimes, data needs to be kept private not just out of an ethical imperative, but also due to a legal requirement. For example, if a medical institution in the United States fails to comply with the Health Insurance Portability and Accountability Act (HIPAA), they can face up to a $25,000 fine in civil violations, and up to $50,000 fine plus jail time for criminal violations.[54] In the United States, there are no national privacy laws, so those instances will vary state to state. However, the General Protection Data Regulation (GDPR) from the European Union (EU) does impose either a €20 million or 4% of annual global gross revenue (whichever is greater) on violators of their privacy regulations.
Statistics
[edit | edit source]Every year millions of instances of identity theft and fraud occur in the United Sates of America. Below are some statistics from the Federal Trade Commission's (FTC) Consumer Sentinel Network ranging from 2018 to 2022. These statistics show how reports of identity theft and fraud have increased over the years in the past, only decreasing in total amount of reports in 2022.
Year | Identity Theft Complaints | Fraud Complaints | Other Consumer Complaints | Total |
---|---|---|---|---|
2018 | 444,338 | 1,523,295 | 1,203,425 | 3,171,058 |
2019 | 650,523 | 1,893,941 | 982,142 | 3,526,606 |
2020 | 1,388,539 | 2,365,362 | 1,318,247 | 5,072,148 |
2021 | 1,434,693 | 2,923,241 | 1,633,677 | 5,991,611 |
2022 | 1,108,609 | 2,369,527 | 1,694,993 | 5,173,129 |
It is also important to know what forms of identity theft are most prevalent. In 2022, the most common form of identity theft was credit card fraud, where the perpetrators would open a new credit card under someone else's name and use it themselves. Below are some statistics from the FTC's Consumer Sentinel Network on other most common forms of identity theft in 2022.
Type of Identity Theft | Amount of Reports | Proportion of Top Five |
---|---|---|
Credit Card Fraud - New Accounts | 409,981 | 43.7% |
Miscellaneous Identity Theft* | 263,419 | 28.1% |
Bank Fraud - New Accounts | 110,513 | 11.8% |
Tax Fraud | 78,588 | 8.4% |
Business/Personal Load | 76,020 | 8.1% |
Total | 938,521 | 100% |
*This refers to forms of identity theft like online shopping and payment account fraud, email and social media fraud, medical services fraud, insurance and securities account fraud, and other types of identity theft.
What do they do with your information?
[edit | edit source]Banks share experience and transaction information, but also share Social Security Numbers. On the positive side, federal regulators have determined that Social Security Numbers are non-public personal information that cannot be shared by financial institutions if consumers exercise their right to opt-out under the new law. Banks have been sharing names, addresses and Social Security Numbers of customers with credit bureaus, which subsequently sold this information to internet information brokers, private detectives, and debt collectors. Most experts believe the sale of these products, known as credit headers, leads to financial identity theft and stalking. Over 500,000 Americans a year are victims of identity theft.[55]
There is Someone Listening
[edit | edit source]Gregory Mankiw from Harvard University wrote about the nature, features, and functions of money. He explains that Money is the language via which societies transact goods and services and coordinates. As cash starts to disappear from societies and new digital forms of payments are introduced, for example credit cards and digital payments, transactions without intermediaries also start to go away. This means that people lose the ability to have privacy on our financial transactions and many of our fundamental rights and freedoms are undermined. By stripping away financial privacy in many ways people lose their fundamental rights[56]. For example with modern credit cards people are surveilled via their associations they form, the contents of their purchases and also their geographical location. This means that people can no longer transact privately as an intermediary like a bank is there surveilling these associations. People can be tracked through the whereabouts of their bank accounts. All of these are critical aspects of rights and as cash starts to fade away our freedoms gradually start to go away. Governments can also gain significant power from such a system as they can control the people and their political opponents and also penalize expressions. Privacy is crucial to a liberal and democratic society[57]. Even the most prominent advocate for ridding economies of large note denominations, Harvard economist Kenneth Rogoff, acknowledges “we need cash for privacy.”[58]
Privacy and Children
[edit | edit source]In recent years, protecting children's privacy has taken on greater significance, especially in light of how quickly technology is developing. Concerns about ethics and the law have been raised because children are particularly susceptible to having their personal information gathered and exploited without their awareness or agreement. In order to better comprehend the current situation and the difficulties that lie ahead, it is essential to look at the history of legal and ethical ideas related to privacy and children. This article tries to highlight some of the most important topics that are presently being discussed in this field and to give a quick review of the history of legal and ethical notions relating to privacy and children.
History
[edit | edit source]Recent technological developments that have made it simpler to obtain and utilize personal information without authorization have increased worry about protecting children's privacy. The development and adaption of legal and ethical ideas about children's privacy have been continuous throughout history. Children's privacy was not a worry in the early 20th century, and they were seen as extensions of their parents. But as the century went on, it became clearer and clearer that children's privacy needed to be protected.
To protect children's privacy rights, laws like the Children's Online Privacy Protection Act (COPPA) and the Family Educational Rights and Privacy Act (FERPA) have been passed. The creation of kid privacy regulations has also been significantly influenced by ethical considerations. Numerous experts contend that children should be given legal protection for their right to privacy, which is separate from their parents' rights. In addition to legislative safeguards, there is a rising campaign to raise public awareness and education concerning children's privacy.
Overall, there has been constant change and adaptation throughout the history of legal and ethical notions relating to children's privacy. New ethical and legal issues will probably arise as technology develops, and the debate over children's privacy will probably continue to change (Wolak et al., 2018).
Privacy Concerns
[edit | edit source]Online Grooming
[edit | edit source]Online grooming is the practice of predators forming relationships with youngsters on social media and the internet in order to sexually exploit or abuse them. Children, who might not be aware of the risks associated with online interactions with strangers, are a particular worry.
Cyberbullying
[edit | edit source]Peer harassment or bullying of a youngster through the internet is referred to as cyberbullying. Cyberbullying, which can result in sadness, anxiety, and other mental health problems, is especially dangerous for children.
Data collection
[edit | edit source]Businesses may gather children's personal information without their awareness or consent, which raises questions regarding how the information will be used and protected. This may contain private data like your name, age, location, and browsing history.
Social Media Risks
[edit | edit source]Children may not completely comprehend the hazards associated with disclosing personal information on social networking sites, which leaves them open to online predators or cyberbullies. Social networking sites may also gather personal data about children for other purposes, such as targeted advertising.
Exposure to Harmful Online Content
[edit | edit source]Children may come into contact with improper or dangerous materials online, such as violent or sexual content, hate speech, or extremist material. Their well-being and mental health may suffer as a result.
Summary
[edit | edit source]These privacy concerns must be taken seriously, and action must be taken to safeguard children's private rights. This includes informing kids about the dangers of disclosing private information online, making use of privacy settings on social media and other websites, and carefully reading the privacy statements of the applications and gadgets they use. To create efficient laws and policies that safeguard children's privacy in the digital era, parents, teachers, and lawmakers must collaborate.
Privacy Laws
[edit | edit source]In the digital age, there are several laws and rules in place to safeguard children's privacy. The following are a few of the important laws and rules:
The Children's Online Privacy Protection Act (COPPA)
[edit | edit source]A federal legislation known as COPPA mandates that websites and online services get permission from parents before collecting personal data from children under the age of 13. The rule also mandates that businesses offer simple privacy policies that make it clear what data is being gathered and how it will be used.
General Data Protection Regulation (GDPR)
[edit | edit source]GDPR is a law of the European Union that regulates data privacy and protection for all people, including minors. In accordance with the GDPR, businesses must get explicit agreement from minors under the age of 16 before collecting their personal information, and they must be open and honest about how they gather data.
Consumer Privacy Act of California (CCPA)
[edit | edit source]A California state legislation known as the CCPA gives inhabitants of the Golden State the right to know what personal data is being collected about them, the ability to ask for the erasure of that data, and the right to refuse to have their personal data sold. The law also has particular guidelines for gathering personal data from minors under the age of 16.
Family Educational Rights and Privacy Act (FERPA)
[edit | edit source]FERPA is a federal statute that safeguards the confidentiality of student academic data. The legislation gives parents the opportunity to see and modify their child's educational records and mandates that schools acquire written parental approval before disclosing personally identifying information about their children.
Children's privacy is protected by these laws and regulations, and it is ensured that businesses and organizations are held responsible for their data gathering and privacy policies. Understanding these regulations and taking action to preserve children's privacy rights in the digital era is crucial for parents and educators.
Importance of Privacy for Children
[edit | edit source]Children are using technology and the internet at higher rates than ever before due to technology’s increased accessibility. Similar to adults, children use the internet and technology to play online video games, chat with friends, use social media, research, watch TV or movies, and more! However, with all of the use of the internet, there is more opportunity for children to expose information about themselves that they might not intend. Additionally, parents may not be fully aware of all their childrens’ online activity. Not many parents have conversations with their children about cybersafety and privacy on the internet because they themselves may not understand the risk and consequences. Children are now at equal risk as adults for being traced by profit-seeking advertisers, cybercriminals, and even bullies.
Privacy is a fundamental human right. Data storage for minors are really strict because children’s information is deemed as extremely sensitive information. But even still, minors are on social media platforms that actively collect and store data for all users! Children need to be vigilant when talking to strangers online and what they post online. There are additional risks that come with being a child on the internet such as naivety, increased vulnerability due to an undeveloped frontal lobe, and then being a target of sexual exploitation or other child endangerment. Privacy awareness is key to protecting children from financial disaster, stalking, and exploitation by corporations and other types of businesses. Children face the same consequences as adults when it comes to breached privacy. Some of these issues include not understanding privacy policies by different websites and companies, exposure of information that is not intended to a wide audience.
Solutions for Privacy Issues related to Children
[edit | edit source]The Children’s Online Privacy Protection act was enacted in April 2000 to help address the problem of children's vulnerability to privacy breach on the internet. The law applies to the online collection of data for those under the age of 13 years old for United States jurisdictions. It provides websites information about how to handle privacy policies, when and how to seek parental/guardian consent on behalf of a child, and “what responsibilities an operator has to protect children's privacy and safety online including restrictions on the marketing of those under 13.”
Cybersecurity and privacy education for children is a must when it comes to protecting children online and making sure they understand what they can and cannot share. Additionally, it is important that children understand that anything and everything they do online is likely to follow them. Key studies indicate that there are significant effects of using quiz and educational video to enhance best online safety beliefs and restrict online sharing. Additionally, the role of perceived parental influence are important to children and agencies that offer privacy education campaigns to help empower children to protect their privacy are beneficial.
In conclusion, privacy is an important feature of children's life, especially in the digital era. Children are exposed to a variety of privacy hazards due to the growing use of technology, which might jeopardize their safety and security. But now that rules and regulations have been established, there are safeguards in place to protect children's privacy. These rules and regulations mandate that businesses and organizations acquire parental permission before collecting children's personal information, disclose explicit information about how data is collected, and give parents access to and control over their children's educational records. Parents, teachers, and lawmakers must be aware of these rules and regulations and take proactive measures to safeguard children's privacy in the digital era. By doing this, we can make it safer and more secure for kids to develop and thrive online.
Conclusion
[edit | edit source]Privacy is a major concern in today's world with respect to our information and its chances of getting breached. Sharing information over the internet will not always ensure privacy as the internet is vast and deeply interconnected. However, we can put efforts into achieving privacy. Data protection comes through laws, policies, principles, and regulations. One such regulation is GDPR (General Data Protection Regulation), whose primary purpose is to make companies or organizations accountable to users' data and reinforce the control of users on their personal data. GDPR can implement principles on how the user's data should be processed.
Apart from data protection in general terms, privacy plays a vital role in the healthcare industry. Because health care research and security assurance are essentially significant to society, it is a fundamental duty to save patient's data and privileges in order to enhance human health and medicinal services. Another reason for securing the individual's privacy is to build the interest of people to provide their data for clinical research for further study, which can increasingly help in improvising the research process. In return, this becomes more favorable to society in the way of encouraging access to new treatments, upgrading diagnostics, and thus drastically putting irresistible efforts towards forestall diseases. Privacy in health care includes different angles such as physical security this can be personal space, information of individuals, and decisional information.
The success or failure of a financial service firm can depend on how it balances the use of confidential customer information while maintaining privacy. To capitalize on emerging growth opportunities, financial firms need to be flexible in sharing confidential customer data—whether across different departments, affiliated partners, or non-affiliated third parties such as technology or outsourcing firms, while complying with regulations and protecting the company’s reputation. The key lies in this delicate balance between data sharing flexibility and maintaining data privacy.
Kids are often attracted by the lure of online games and social media. Children must be reminded never to share personally identifiable information or financial details with online applications or services and teach them the difference between safe and malicious applications. Popular social media services like Facebook, Instagram, and TikTok require users to be at least 13 years old to sign up, however, many underage users still join. The 13 year old age limit comes from the US Children's Online Privacy Protection Act. Educate children about the impacts of sharing sensitive details on social media and the risks of interacting with strangers online. If one wishes to monitor your children’s online activity, use parental controls on their device.
Without the cooperation or assistance of social media giants, privacy in social media is not completely achievable because it is entirely dependable on how they modify their settings and policies in the interest of the users' data protection provided with all the laws and regulations placed. Irrespective of how sophisticated or user friendly the platform is made, it is not as powerful as its users because ultimately its revenue is made through the users who are active on these social media platforms, which can be utilized to raise their voices which makes them codependent. Thus with changing times, many advanced technologies are getting invented through which privacy issues can still be persistent. This is a constant battle that can only be controlled through stringent laws and regulations, which includes creating awareness among consumers to champion their own privacy rights.
Privacy in finances is also very important. Whether they are protecting their own financial information, or they work at a financial institution and are protecting others, they have both a legal and ethical responsibility of the utmost importance to maintain. One of the most important things for people to do to keep finances safe is take good care of protecting private credentials. With those credentials, malicious actors can simply pose as someone they're not, and do whatever they want with the financial information they access. Also, if this privacy is violated, organizations with any sort of presence in the EU could face at minimum a €20 million fine.
References
[edit | edit source]- ↑ https://facilethings.com/blog/en/principles-vs-rules
- ↑ a b "FERPA | Protecting Student Privacy". studentprivacy.ed.gov. Retrieved 2023-04-24.
- ↑ "Data protection and privacy laws | Identification for Development". id4d.worldbank.org. Retrieved 2023-04-24.
- ↑ a b c d e United States, Federal Trade Commission, Privacy Online: A Report to Congress, 1998, p.7-10
- ↑ Burke, F. (2013, December 2). Social Media vs. Social Networking. Retrieved from https://www.huffpost.com/entry/social-media-vs-social-ne_b_4017305
- ↑ Shah, S. (2018, June 20). The History of Social Media. Retrieved from https://www.digitaltrends.com/features/the-history-of-social-networking/
- ↑ Jones, M. (2015, June 16). The Complete History of Social Media: The Founding of the Online Networking. Retrieved from https://historycooperative.org/the-history-of-social-media/
- ↑ The 10 most popular social media sites in 2020. (2020, March 5). Retrieved from https://www.toptenreviews-online.com/social-media-sites/
- ↑ Rainie, L. (2018, March 27). How Americans feel about social media and privacy. Retrieved from https://www.pewresearch.org/fact-tank/2018/03/27/americans-complicated-feelings-about-social-media-in-an-era-of-privacy-concerns/
- ↑ Lindsey, N. (2019, May 28). New Research Study Shows That Social Media Privacy Might Not Be Possible. Retrieved from https://www.cpomagazine.com/data-privacy/new-research-study-shows-that-social-media-privacy-might-not-be-possible/
- ↑ Morrow, S. (2018, January 30). 5 Social Media Site Privacy Issues You Should Worry About. Retrieved from https://resources.infosecinstitute.com/5-social-media-site-privacy-issues-worry/#gref
- ↑ a b c d e f EPIC - Social Networking Privacy. (n.d.). Retrieved from https://epic.org/privacy/socialnet/
- ↑ Unbox Social. (2019, February 27). GDPR & Social Media-What The Updated Privacy Policies Mean. Retrieved from https://medium.com/@unboxsocial/gdpr-social-media-what-the-updated-privacy-policies-mean-69984844c43
- ↑ 5 U.S.C. § 552a(b).[PDF]. Retrieved from https://www.govinfo.gov/content/pkg/USCODE-2018-title5/pdf/USCODE-2018-title5-partI-chap5-subchapII-sec552a.pdf
- ↑ Greenberg, P. (2019, May 22). State Social Media Privacy Laws. Retrieved from https://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-prohibiting-access-to-social-media-usernames-and-passwords.aspx
- ↑ Unbox Social. (2019, February 27). GDPR & Social Media-What The Updated Privacy Policies Mean. Retrieved from https://medium.com/@unboxsocial/gdpr-social-media-what-the-updated-privacy-policies-mean-69984844c43
- ↑ Wong, Q. (2020, January 3). CCPA: What California's new privacy law means for Facebook, Twitter users. Retrieved from https://www.cnet.com/news/ccpa-what-californias-new-privacy-law-means-for-facebook-twitter-users/
- ↑ "Children's Online Privacy Protection Rule ("COPPA")". Federal Trade Commission. 2013-07-25. Retrieved 2023-04-24.
- ↑ Sales Sarlet, Gabrielle Bezerra; Linden Ruaro, Regina (2021-08-31). "A PROTEÇÃO DE DADOS SENSÍVEIS NO SISTEMA NORMATIVO BRASILEIRO SOB O ENFOQUE DA LEI GERAL DE PROTEÇÃO DE DADOS (LGPD) – L. 13.709/2018". Revista Direitos Fundamentais & Democracia. 26 (2): 81–106. doi:10.25192/issn.1982-0496.rdfd.v26i22172. ISSN 1982-0496.
- ↑ "Office of the Privacy Commissioner of Canada. (2020). Personal Information Protection and Electronic Documents Act (PIPEDA)".
- ↑ Rights (OCR), Office for Civil (2021-06-09). "Health Information Privacy". HHS.gov. Retrieved 2023-04-24.
- ↑ Gudgel, John (2013). "Internet Privacy Policy Paradoxes: The Electronic Communications Privacy Act (ECPA) Amendments Act of 2013 & the Consumer Privacy Bill of Rights of 2012". SSRN Electronic Journal. doi:10.2139/ssrn.2257647. ISSN 1556-5068.
- ↑ Khan, Minhaj Ahmad; Salah, Khaled (2018-05-01). "IoT security: Review, blockchain solutions, and open challenges". Future Generation Computer Systems. 82: 395–411. doi:10.1016/j.future.2017.11.022. ISSN 0167-739X.
- ↑ Sicari, S.; Rizzardi, A.; Grieco, L. A.; Coen-Porisini, A. (2015-01-15). "Security, privacy and trust in Internet of Things: The road ahead". Computer Networks. 76: 146–164. doi:10.1016/j.comnet.2014.11.008. ISSN 1389-1286.
- ↑ Miorandi, Daniele; Sicari, Sabrina; De Pellegrini, Francesco; Chlamtac, Imrich (2012-09-01). "Internet of things: Vision, applications and research challenges". Ad Hoc Networks. 10 (7): 1497–1516. doi:10.1016/j.adhoc.2012.02.016. ISSN 1570-8705.
- ↑ Greenberg, A. (2019, August 12). Watch a Drone Take Over a Nearby Smart TV. Retrieved March 30, 2020
- ↑ Cisomag. (2020, January 10). 10 IoT Security Incidents That Make You Feel Less Secure. Retrieved March 30, 2020
- ↑ Tsirmpas, Charalampos; Anastasiou, Athanasios; Bountris, Panagiotis; Koutsouris, Dimitris (2015-12). "A New Method for Profile Generation in an Internet of Things Environment: An Application in Ambient-Assisted Living". IEEE Internet of Things Journal. 2 (6): 471–478. doi:10.1109/JIOT.2015.2428307. ISSN 2327-4662.
{{cite journal}}
: Check date values in:|date=
(help) - ↑ Health Information Privacy. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
- ↑ Bodie, M. T. (2022). HIPPA. Cardozo L. Rev. De-Novo, 118.
- ↑ Health Information Policy and Laws Retrieved from https://www.healthit.gov/topic/health-information-privacy-law-and-policy
- ↑ Appari, A., & Johnson, M. E. Information Security, and Privacy in Healthcare.
- ↑ a b Rindfleisch, T. C. (1997). Privacy, Information Technology, and Health Care. Communications of the ACM, 40(8), 92-100.
- ↑ Health Information Privacy. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
- ↑ George, J., & Bhila, T. (2019). Security, confidentiality and privacy in health of healthcare data. International Journal of Trend in Scientific Research and Development, 3(4), 2456-6470.
- ↑ Moore, I., Leason, S., Miller, S. C., & Hickson, G. B. Confidentiality and privacy in health care from the patient's perspective: does HIPAA help?
- ↑ Waltz, D. B. (2014). Privacy in the Digital Age. Ind. L. Rev., 48, 205.
- ↑ Samonas, S., & Coss, D. (2014). THE CIA STRIKES BACK: REDEFINING CONFIDENTIALITY, INTEGRITY AND AVAILABILITY IN SECURITY. Journal of Information System Security, 10(3).
- ↑ Pearlman, S. (n.d.). What is Data Processing? Definition and Stages - Talend Cloud Integration. Retrieved from https://www.talend.com/resources/what-is-data-processing/
- ↑ Snapshot technology overview. (2006, April 26). Retrieved from https://www.ibm.com/developerworks/tivoli/library/t-snaptsm1/index.html
- ↑ Data Replication – Backup Technology. (n.d.). Retrieved from https://www.delltechnologies.com/en-us/learn/data-protection/data-replication.htm
- ↑ Schwab, J., Topping, K. C., Eadie, C. C., Deyle, R. E., & Smith, R. A. (1998). Planning for post-disaster recovery and reconstruction (pp. 483-484). Chicago, IL: American Planning Association.
- ↑ a b c Petersen, K. (2018). GDPR: What (and Why) You Need to Know About EU Data Protection Law. [ebook] pp.12-16. Available at: https://www.kmclaw.com/media/article/247_July_Aug_2018_Peterson_Data_Protection.pdf
- ↑ a b c Nadeau, M. (2018, April 23). General Data Protection Regulation (GDPR): What you need to know to stay compliant. Retrieved from CSO: https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
- ↑ a b c Kharpal, A. (2018, May 25). Everything you need to know about a new EU data law that could shake up big US tech. Retrieved from CNBC: https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html
- ↑ Bhatia, P. Understanding 6 key GDPR principles. Retrieved from EU GDPR Academy: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
- ↑ Data Protection 2019: Laws and Regulations: USA: ICLG. (n.d.). Retrieved from https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa
- ↑ paper, O. W. (2018, April). Oracle Cloud Infrastructure and the GDPR. Retrieved from Cloud oracle: https://cloud.oracle.com/iaas/whitepapers/oci-gdpr.pdf
- ↑ N. (2018, May 25). Guidance for General Data Protection Regulations (GDPR) compliance in the conduct of human research. Retrieved from https://irb.northwestern.edu/sites/irb/files/documents/GDPR+Guidance.pdf
- ↑ Data Protection Law: An Overview(Rep.). (2019, March 25). Retrieved https://fas.org/sgp/crs/misc/R45631.pdf
- ↑ Law in the United States. (2019, January 28). Retrieved from https://www.dlapiperdataprotection.com/index.html?c=US&c2=&go-button=GO&t=law
- ↑ McDaniel, P., & Lipscomb, K. (2018, April 30). Data Breach Laws on the Books in Every State; Federal Data Breach Law Hangs in the Balance. Retrieved from https://www.securityprivacybytes.com/2018/04/data-breach-laws-on-the-books-in-every-state-federal-data-breach-law-hangs-in-the-balance/
- ↑ https://www.american.edu/kogod/research/cybergov/upload/what-to-do.pdf
- ↑ a b RadarFirst (2021-08-19). "How do you Define Privacy Risk?". RadarFirst. Retrieved 2023-04-24.
- ↑ a b c "Facts + Statistics: Identity theft and cybercrime | III". www.iii.org. Retrieved 2023-04-25.
- ↑ https://siepr.stanford.edu/sites/default/files/publications/17-033_1.pdf
- ↑ https://cdn.harvardlawreview.org/wp-content/uploads/pdfs/vol126_cohen.pdf
- ↑ https://fcpp.org/2019/04/26/how-to-protect-privacy-in-a-cashless-economy/